[c-nsp] RELATED: Feedback on: Security Advice for Routers and Switches
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Sun May 6 17:36:26 EDT 2007
Hi,
> Alan,
>
> Did you try to disable ICMP redirects? (no ip redirects on the VLAN
> interface)?
ip local-proxy-arp seems to be the beast . can anyone disuade? with
this, coupled with DAI and a better L3 ACL on the VLAN you should
be able to block any nefarious L3 attacks whilst reporting them etc.
oh. a word of warning to those implementing this...by default if
there are a dozen or so ARP spoofs in a short space of time, then
it'll trigger a port error - arpspoof - which can be auto reset with
an errdisable recovery - or you can avoid by setting no limit on the
arpspoof count. this could bite if the interface was a trunk feed
from a whole building/subnet/campus ;-)
alan
More information about the cisco-nsp
mailing list